January 20, 2016
“A safeguard or countermeasure, external to the device, employed by a user in lieu of, or in the absence of sufficient controls that were designed in by a device manufacturer, and that provides supplementary or comparable cyber protection for a medical device.”
“Present when there is sufficiently low (acceptable) residual risk that the device’s essential clinical performance could be compromised by a cybersecurity vulnerability.”
“Updates or patches to a device to increase device security and/or remediate vulnerabilities associated with controlled risk and not to reduce a risk to health or correct a violation of the FD&C Act.”
“Any information which indicates the potential for, or confirmation of, a cybersecurity vulnerability or exploit that affects, or could affect a medical device.”
This concept was developed for the purpose of this guidance and means “performance that is necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer.”
“An instance where a vulnerability or vulnerabilities have been exercised (accidentally or intentionally) and could impact the essential clinical performance of a medical device or use a medical device as a vector to compromise the performance of a connected device or system.”
“Any action(s) taken to reduce the risk to the medical device’s essential clinical performance to an acceptable level. Remediation actions may include complete solutions to remove a cybersecurity vulnerability from a medical device (sometimes known as official fix) or compensating controls that adequately mitigate the risk (e.g., notification to customer base and user community identifying a temporary fix, or work-around).”
“Any circumstance or event with the potential to adversely impact the essential clinical performance of the device, organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, or other organizations through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.”
“A methodology for optimizing Network/Application/Internet Security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system. For medical devices, threat modeling can be used to optimize mitigations by identifying vulnerabilities and threats to a particular product, products in a product line, or from the organization’s supply chain that can adversely affect patient safety.”
“Present when there is unacceptable residual risk that the device’s essential clinical performance could be compromised due to insufficient compensating controls and risk mitigations.”
“A weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat.”
TAGS:
September 13, 2018
On Thursday, September 6th, the FDA released a new draft guidance regarding benefit-risk determinations in medical device premarket approval applications (PMAs), De Novo requests, and humanitarian...
January 12, 2016
On January 4, 2016, the FDA published a draft guidance entitled, “Unique Device Identification: Convenience Kits.” The draft guidance comes after the Agency’s 2013 final rule that established a...